[wp-trac] [WordPress Trac] #32067: Remove inline javascript from WP-Core to allow CSP protection
WordPress Trac
noreply at wordpress.org
Thu Apr 23 01:04:51 UTC 2015
#32067: Remove inline javascript from WP-Core to allow CSP protection
-----------------------------+------------------------------
Reporter: tdelmas | Owner:
Type: feature request | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: | Focuses:
-----------------------------+------------------------------
Comment (by dd32):
Unfortunately this just isn't going to be possible for WordPress to add.
WordPress historically has support for inline JS, both being emitted by
core (Emoji in 4.2 is a good example) and user-added (inline Javascript in
posts is allowed if you're an administrator).
While CSP is a great mechanism, and should definitely be used on sites
that need it (I'd suggest a plugin), it doesn't make sense by default in
WordPress IMHO.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/32067#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list